"Maurer, Hansjörg"
2012-Apr-12 12:04 UTC
[Samba] user map Problem with security= ADS after upgrade form 3.5.13 to 3.6.4
Hi we are running samba on Linux as an AD member. Linux is integrated into the AD with Vintella Authentification services. The "normal" AD Users are unix enabled and available on the linux system using nss/vas. Therefore we used idmap config DLR: backend = nss idmap config DLR: readonly = yes In the AD we have some administrative accounts which are not unix enabled (like username-adm) Up to samba 3.5.13 we have been able to map this administrative accounts to root on the samba server root = DLR\username-adm With 3.6.4 this does not work any more If I connect form a workstation logged in as DOMAIN\username-adm I get a password prompt It seems that the mapping is ok Kerberos ticket principal name is [username-adm at INTRA.DLR.DE] [2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username) Mapped user DLR\username-adm to root but with 3.6.4 ist seems that even a user ist mapped to root a unix account is required for the original user Failed to find authenticated user DLR\username-adm via getpwnam(), denying access. Of cource we can unix enable an adm-account, but before doing so, I want to now, if there might be another solution Regards Hansj?rg [2012/04/12 13:33:35.870906, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/04/12 13:33:35.871057, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/04/12 13:33:35.871282, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/04/12 13:33:35.871472, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[] PrimaryDomain=[Windows Server 2003 5.2] [2012/04/12 13:33:35.871698, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 6731 [2012/04/12 13:33:35.876804, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: username-adm [username-adm] [2012/04/12 13:33:35.877386, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [username-adm at INTRA.DLR.DE] [2012/04/12 13:33:35.877609, 3] auth/user_util.c:402(map_username) Mapped user DLR\username-adm to root [2012/04/12 13:33:35.896434, 3] auth/auth_util.c:1028(check_account) Failed to find authenticated user DLR\username-adm via getpwnam(), denying access. [2012/04/12 13:33:35.896609, 1] auth/user_krb5.c:211(make_server_info_krb5) make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER! [2012/04/12 13:33:35.896794, 1] smbd/sesssetup.c:379(reply_spnego_kerberos) make_server_info_krb5 failed! [2012/04/12 13:33:35.896975, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/04/12 13:33:35.898900, 3] smbd/server_exit.c:180(exit_server_common) Server exit (failed to receive smb request) [2012/04/12 13:33:35.911450, 3] smbd/negprot.c:419(reply_nt1) using SPNEGO [2012/04/12 13:33:35.911651, 3] smbd/negprot.c:704(reply_negprot) Selected protocol NT LM 0.12 [2012/04/12 13:33:35.912998, 3] smbd/process.c:1662(process_smb) Transaction 1 of length 6992 (0 toread) [2012/04/12 13:33:35.913232, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 4861) conn 0x0 [2012/04/12 13:33:35.913366, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/04/12 13:33:35.913530, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/04/12 13:33:35.913647, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/04/12 13:33:35.913803, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[] PrimaryDomain=[Windows Server 2003 5.2] [2012/04/12 13:33:35.914000, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 6731 [2012/04/12 13:33:35.919423, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: username-adm [username-adm] [2012/04/12 13:33:35.919825, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [username-adm at INTRA.DLR.DE] [2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username) Mapped user DLR\username-adm to root [2012/04/12 13:33:35.931919, 3] auth/auth_util.c:1028(check_account) Failed to find authenticated user DLR\username-adm via getpwnam(), denying access. [2012/04/12 13:33:35.932087, 1] auth/user_krb5.c:211(make_server_info_krb5) make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER! [2012/04/12 13:33:35.932385, 1] smbd/sesssetup.c:379(reply_spnego_kerberos) make_server_info_krb5 failed! [2012/04/12 13:33:35.932603, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/04/12 13:33:35.938360, 3] smbd/server_exit.c:180(exit_server_common) Server exit (failed to receive smb request) [2012/04/12 13:33:35.944654, 3] lib/access.c:338(allow_access)